ai
Description
Executes a request to an external inference model.
warning
The command requires a configured sm-ai service to work.
Syntax
... | ai model="<model>" output="<field>[,<field>]" [mode=summary|per_row] [preset=<preset>] [system_message="<text>"] [user_message="<text>"] [input="<field>[,<field>]"|"*"] [temperature=<number>] [max_tokens=<int>] [max_prompt_tokens=<int>] [timeout=<int>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
model | model="<model_name>" | Name of the language model registered in the registry. |
output | output="<field>[,<field>]" | Name or comma-separated list of output result fields. |
Optional Arguments
| Parameter | Syntax | Default Value | Description |
|---|---|---|---|
mode | mode=summary or mode=per_row | summary | Processing mode: summary — the entire context is reduced to one result line; per_row — each line is enriched with output fields. |
preset | preset=<preset_name> | Preset name with predefined parameters. Explicit arguments in the command override preset values. | |
system_message | system_message="<text>" | Model system instruction. | |
user_message | user_message="<text>" | Model user instruction. | |
input | input="<field>[,<field>]" or input="*" | * | Context string fields to pass. * — all fields. |
temperature | temperature=<number> | Generation temperature. | |
max_tokens | max_tokens=<int> | Response token limit. | |
max_prompt_tokens | max_prompt_tokens=<int> | 60000 | Prompt token limit. |
timeout | timeout=<int> | Taken from sme.ai.timeout | Provider request timeout, ms. |
info
Presets are configured in the system interface. Parameters from the preset are applied as default values; explicit arguments in the command override preset values.
Processing Modes
summary (default)
Transforms the entire set of rows into one result:
- One LLM call is executed for the entire context
- One result row is returned
- The result row contains only fields from
output - For multiple
outputfields, a JSON object is expected in the model response
per_row
Enriches each source row with output fields:
- One LLM call is executed for all rows
- A response with results for each row is expected
- Source fields are preserved in the result rows and enriched with
outputfields - If
inputlimits the context, only specified fields go into the prompt, but final rows are taken from the source and enriched withoutputfields
System Settings
Settings are stored in _cluster/settings. The table below presents ai command settings and their default values.
| Name | Description | Default Value |
|---|---|---|
sme.ai.inference_server_url | Inference service base URL. | http://localhost |
sme.ai.inference_server_port | Inference service port. | 8010 |
sme.ai.timeout | Inference service request timeout, ms. | 300000 |
Query Examples
Example 1
Minimal summary — k8s trace analysis.
source k8s_otel_traces
| search traceId="6955d7042d2182d3be9a840e15bbb3ee"
| ai model="gpt-oss-20b" user_message="What's wrong with this trace" output="summary"
Result (one row):
[
{"summary": "There is a connection error to adservice in the trace."}
]
Example 2
per_row with multiple output fields — semantic search with row enrichment.
source soc_events_prod
| semanticsearch
vector_field="event_embedding"
query="Signs of lateral movement via remote command execution and credential theft"
model_id="zXjJepwBnjnQtEv1MFtK"
| ai
model="gpt-oss-20b"
mode=per_row
input="host.name,user.name,message"
user_message="For each row return risk, type, reason"
output="risk,type,reason"
Result (rows enriched with new fields):
[
{
"host.name": "srv-1",
"user.name": "admin",
"message": "wmic remote process create",
"risk": "high",
"type": "lateral_movement",
"reason": "Remote process execution via WMI."
},
{
"host.name": "srv-2",
"user.name": "svc",
"message": "normal login",
"risk": "low",
"type": "benign_activity",
"reason": "No signs of attack detected."
}
]
Example 3
With preset — using predefined parameters with user_message override.
source soc_events_prod
| ai preset=my_preset output="summary" mode=summary user_message="How to fix the problem"
Example 4
With explicit limits.
source k8s_otel_traces
| ai model="gpt-oss-20b" output="summary" max_prompt_tokens=5000 max_tokens=700 timeout=600000